SpyBara
Go Premium

Documentation 2026-07-14 17:03 UTC to 2026-07-15 19:58 UTC

11 files changed +667 −68. View all changes and history on the product overview
2026
Wed 15 19:58 Tue 14 17:03 Wed 8 02:01 Mon 6 22:58
Details

156 {156 {

157 title: "Deployment and model providers",157 title: "Deployment and model providers",

158 description:158 description:

159 "Connect managed hosts or configure a supported external model provider.",159 "Deploy the Windows app, connect managed hosts, or configure a supported external model provider.",

160 pages: [160 pages: [

161 {

162 title: "Windows app deployment",

163 description:

164 "Choose an installation and update path for managed Windows devices.",

165 href: "/codex/enterprise/windows-deployment",

166 icon: "settings",

167 },

161 {168 {

162 title: "Remote connections",169 title: "Remote connections",

163 description: "Start and control work on connected computers.",170 description: "Start and control work on connected computers.",

Details

10credit consumption.10credit consumption.

11 11 

12Fast mode increases supported model speed by 1.5x and consumes credits at a12Fast mode increases supported model speed by 1.5x and consumes credits at a

13higher rate than Standard mode. It currently supports GPT-5.5 and GPT-5.4,13higher rate than Standard mode. It currently supports GPT-5.6, GPT-5.5, and

14consuming credits at 2.5x the Standard rate for GPT-5.5 and 2x the Standard14GPT-5.4. GPT-5.6 and GPT-5.5 consume credits at 2.5x the Standard rate;

15rate for GPT-5.4.15GPT-5.4 consumes credits at 2x the Standard rate.

16 16 

17Use `/fast on`, `/fast off`, or `/fast status` in the CLI to change or inspect17Use `/fast on`, `/fast off`, or `/fast status` in the CLI to change or inspect

18the current setting. You can also persist the default with `service_tier =18the current setting. You can also persist the default with `service_tier =

19"fast"` plus `[features].fast_mode = true` in `config.toml`. Fast mode is19"fast"` plus `[features].fast_mode = true` in `config.toml`. Fast mode is

20available in the ChatGPT desktop app, Codex CLI, and IDE extension when you20available in the ChatGPT desktop app, Codex CLI, and IDE extension when you

21sign in with ChatGPT. With an API key, Codex uses standard API pricing instead21sign in with ChatGPT. Fast mode is a ChatGPT credit feature. With an API key,

22and you can't use Fast mode credits.22Codex uses API token pricing instead, and ChatGPT credit multipliers don't

23apply. API Priority processing has its own billing rate; for GPT-5.6, it costs

242x the Standard API token rate.

23 25 

24<VideoPlayer26<VideoPlayer

25 src="/videos/codex/fast-mode-demo.mp4"27 src="/videos/codex/fast-mode-demo.mp4"

app/features.md +7 −0

Details

63 href: "/codex/pets",63 href: "/codex/pets",

64 icon: "customize",64 icon: "customize",

65 },65 },

66 {

67 title: "Codex Micro",

68 description:

69 "Monitor and control ChatGPT tasks from a Work Louder keyboard.",

70 href: "/codex/features/codex-micro",

71 icon: "key",

72 },

66 ],73 ],

67 },74 },

68 {75 {

app/windows.md +4 −5

Details

22 22 

23Then follow the [quickstart](https://learn.chatgpt.com/docs/quickstart?setup=app) to get started.23Then follow the [quickstart](https://learn.chatgpt.com/docs/quickstart?setup=app) to get started.

24 24 

25For enterprises, administrators can deploy the app with Microsoft Store app25For enterprise installation and update options, see

26distribution through enterprise management tools.26[Deploy the Windows app](https://learn.chatgpt.com/docs/enterprise/windows-deployment).

27 27 

28If you prefer a command-line install path, or need an alternative to opening28If you prefer a command-line install path, run:

29the Microsoft Store UI, run:

30 29 

31```powershell30```powershell

32winget install Codex -s msstore31winget install --id 9PLM9XGG6VKS -s msstore

33```32```

34 33 

35## Native sandbox34## Native sandbox

Details

1# Deploy the Windows app

2 

3Choose a deployment path based on who controls installation and updates and

4whether your network allows Microsoft's app-distribution services. The app is

5Store-signed, but users don't need to open the Microsoft Store. Standard

6installation and updates use Microsoft's app installation and Windows Update

7services.

8 

9| Scenario | Deployment path |

10| -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- |

11| Users install and update their own apps | Use the [web installer](https://get.microsoft.com/installer/download/9PLM9XGG6VKS?cid=website_cta_psi). |

12| IT deploys the app and Microsoft update services are available | Deploy the Microsoft Store app through Intune or another management tool. |

13| IT controls update timing or blocks Microsoft update services | Redeploy each new version through your software-management process. |

14| Your network blocks Microsoft app-distribution services | Use the offline MSIX package for restricted networks. |

15 

16## Let users install and update the app

17 

18If users can manage their own applications, direct them to the

19[web installer](https://get.microsoft.com/installer/download/9PLM9XGG6VKS?cid=website_cta_psi).

20The installer provides the standard installation and automatic-update

21experience. Microsoft Store components may appear during installation or

22updates, but users don't need to browse the Store themselves.

23 

24You can also install the app from the command line:

25 

26```powershell

27winget install --id 9PLM9XGG6VKS -s msstore

28```

29 

30## Deploy with an enterprise management tool

31 

32If your organization centrally manages software, deploy the Microsoft Store app

33through Microsoft Intune or another compatible mobile device management (MDM)

34or software-deployment platform. Search for ChatGPT from OpenAI in the

35Microsoft Store app flow, or use this Store product ID:

36 

37```text

389PLM9XGG6VKS

39```

40 

41This is the recommended enterprise deployment method when your environment

42allows Microsoft Store app deployment and update endpoints. Users don't need to

43open the Microsoft Store themselves.

44 

45For Intune setup details, see

46[Add Microsoft Store apps to Microsoft Intune](https://learn.microsoft.com/en-us/intune/app-management/deployment/add-microsoft-store).

47 

48## Control update timing

49 

50If your organization blocks automatic app updates, Windows Update, or Microsoft

51Store update endpoints, your IT team owns the update lifecycle. Codex can run in

52this environment, but you must redeploy newer packages through your change

53management process.

54 

55Redeploy the package with each Codex release when possible. If that cadence

56isn't practical, check for a newer package at least weekly and redeploy when a

57newer version is available. Users should restart the app after you deploy an

58update.

59 

60Deferring updates is a security and reliability tradeoff because the app

61includes browser and runtime components that receive regular updates.

62 

63## Deploy without Microsoft distribution services

64 

65If your environment can't use the standard Microsoft distribution services,

66download [Codex-x64.zip](https://persistent.oaistatic.com/codex-app-prod/Codex-x64.zip)

67as an offline deployment option. The archive contains the Store-signed offline

68MSIX package and its associated license files. Ingest these files into your MDM

69or software-deployment platform.

70 

71The offline package:

72 

73- Supports deployment in restricted environments.

74- Doesn't provide a standalone MSI or non-Store EXE.

75- Doesn't let users update the app themselves.

76- Requires your organization to deploy newer packages when updating the app.

77 

78## Related resources

79 

80- [ChatGPT desktop app for Windows](https://learn.chatgpt.com/docs/windows/windows-app)

features.md +7 −0

Details

63 href: "/codex/pets",63 href: "/codex/pets",

64 icon: "customize",64 icon: "customize",

65 },65 },

66 {

67 title: "Codex Micro",

68 description:

69 "Monitor and control ChatGPT tasks from a Work Louder keyboard.",

70 href: "/codex/features/codex-micro",

71 icon: "key",

72 },

66 ],73 ],

67 },74 },

68 {75 {

features/codex-micro.md +208 −0 created

Details

1# Codex Micro

2 

3<div class="grid gap-6 lg:grid-cols-2 lg:items-start lg:gap-10">

4 <div class="min-w-0 [&_p]:!mt-0">

5 

6Codex Micro is a limited-run collaboration between Codex and Work Louder. It

7works with the ChatGPT desktop app, giving you a quick way to check on tasks,

8jump between them, use push-to-talk, and trigger common actions or skills

9without leaving the keyboard.

10 

11 </div>

12 <div class="min-w-0">

13 <Illustration description="Interactive Codex Micro keyboard with illuminated Agent Keys, customizable Command Keys, a dial, and an analog stick">

14 <CodexMicroKeyboardIllustration

15 ariaLabel="Interactive Codex Micro keyboard with illuminated Agent Keys, customizable Command Keys, a dial, and an analog stick"

16 />

17 </Illustration>

18 </div>

19</div>

20 

21## Set up Codex Micro

22 

231. Open the ChatGPT desktop app.

242. Connect Codex Micro to your computer with a USB-C cable or Bluetooth, then

25 follow the setup that appears when ChatGPT detects it.

263. On macOS, allow **Input Monitoring** when prompted so ChatGPT can respond to

27 key presses.

284. Open **Settings > Codex Micro** to choose which tasks the Agent Keys follow,

29 assign actions to the Command Keys and analog directions, and adjust the

30 lighting.

31 

32To open these settings again, press and hold the dial for 500 milliseconds or

33select the Codex Micro icon beside your account name at the bottom of ChatGPT.

34 

35You'll see **Codex Micro** in Settings after ChatGPT detects the device for the

36first time. If you want to use the device outside ChatGPT, customize those

37controls with [Work Louder Input](https://worklouder.cc/micro-setup).

38 

39## Read and switch tasks with Agent Keys

40 

41Each of the six frosted Agent Keys can follow a task and light up to show its

42current status. Press an Agent Key once to switch to that task without bringing

43ChatGPT forward. Press it twice within 350 milliseconds to switch tasks and

44bring the ChatGPT window forward.

45 

46| Light | Status | Meaning |

47| ----- | ---------------- | ----------------------------------------- |

48| White | Idle | The task is idle. |

49| Blue | Thinking | ChatGPT is working. |

50| Green | Complete | The task completed with an unread update. |

51| Amber | Requires input | ChatGPT needs your approval or response. |

52| Red | Error | Something went wrong. |

53| Off | No assigned task | The key doesn't follow a task. |

54 

55The selected task's key pulses with its status light.

56 

57Out of the box, the keys follow your six most recently updated tasks, whether

58or not they're pinned. You can change **Agent source** in **Settings > Codex

59Micro** to use a different arrangement:

60 

61- **Most recent tasks**: Follow the six most recently updated tasks, pinned or

62 unpinned.

63- **Pinned tasks**: Follow the first six tasks in **Pinned**.

64- **Priority tasks**: Put tasks waiting for input, unread tasks, and active

65 tasks first.

66- **Custom assignments**: Choose the task assigned to each Agent Key. Press an

67 unassigned Agent Key to open a new task. When you start the task, ChatGPT

68 assigns it to that key.

69 

70The status colors stay the same. You can decide which tasks the Agent Keys

71follow, but you can't turn them into extra Command Keys.

72 

73## Use and customize Command Keys

74 

75Codex Micro comes with six actions in its default layout:

76 

77<div class="grid gap-6 md:grid-cols-[minmax(0,1fr)_minmax(16rem,42%)] md:items-start">

78 <div class="min-w-0 [&_table]:!mt-0 [&_td:first-child]:!px-2 [&_th:first-child]:!px-2 md:order-2">

79 

80| Key | Default action |

81| :-------------------------------------------------------: | ---------------------------------------- |

82| <CodexMicroTableKeycap keycapId="FAST" label="Fast" /> | Turn Fast mode on or off. |

83| <CodexMicroTableKeycap keycapId="APPR" label="Approve" /> | Approve the current request. |

84| <CodexMicroTableKeycap keycapId="REJ" label="Decline" /> | Decline the current request. |

85| <CodexMicroTableKeycap keycapId="SPLIT" label="Fork" /> | Continue the current task in a new task. |

86| <CodexMicroTableKeycap keycapId="MIC" label="Mic" /> | Start push-to-talk. |

87| <CodexMicroTableKeycap keycapId="CODEX" label="Codex" /> | Send the message in the composer. |

88 

89 </div>

90 <div class="min-w-0 md:order-1">

91 

92The Mic key uses your computer's microphone. Codex Micro doesn't have a

93microphone of its own. Hold the key while you speak, then release it to stop.

94For hands-free recording, press it twice within 350 milliseconds to keep

95recording. Press it again to stop.

96 

97A sea-green light moves around the keyboard while you record. It changes to a

98moving white light while ChatGPT processes your speech, then turns solid white

99when the prompt is ready. Press the Codex key to send it.

100 

101In **Settings > Codex Micro**, select a Command Key, then choose its keycap and

102action. You can open the browser or terminal, review changes, commit with Git,

103create a pull request, attach files or photos, manage scheduled tasks, change

104reasoning effort, or open **Skills**. If you choose a keycap that's already used

105somewhere else, ChatGPT swaps the two instead of using one keycap twice.

106 

107After you remap a key, swap the physical keycap to match its new action.

108 

109 </div>

110</div>

111 

112## Use the analog stick and dial

113 

114<div class="grid gap-6 md:grid-cols-[minmax(0,1fr)_minmax(16rem,42%)] md:items-start">

115 <div class="min-w-0">

116 

117The analog stick moves freely in any direction. When you push it far enough

118from the center, ChatGPT turns the movement into one of four directional

119actions. Codex Micro starts with the mappings shown here.

120 

121Choose any available ChatGPT desktop command or enabled skill for each

122direction in **Settings > Codex Micro**.

123 

124 </div>

125 <div class="min-w-0 [&_table]:!mt-0">

126 

127| Direction | Default action |

128| --------- | -------------------------- |

129| Up | Turn Plan mode on or off. |

130| Right | Go forward in app history. |

131| Down | Show or hide the sidebar. |

132| Left | Go back in app history. |

133 

134 </div>

135</div>

136 

137The dial moves through the composer controls and options, with **Reasoning**

138selected by default. Turn the dial to change the selection, then press it to

139open or select the focused control. When a composer control or menu is open,

140the Agent Key immediately to the right of the dial lights red. Press that key

141to cancel.

142 

143In **Settings > Codex Micro**, choose whether the dial uses **Composer

144navigation** or **Reasoning only**. In **Reasoning only** mode, turning the dial

145opens and adjusts reasoning effort. Press the dial to open the slider or its

146advanced options.

147 

148## Adjust lighting

149 

150In **Settings > Codex Micro**, adjust the brightness and choose how long the

151lights stay on when you're not using Codex Micro. They come back on when you

152use the keyboard or an Agent Key changes status. By default, the lights turn

153off after three minutes.

154 

155When the keyboard reports its battery status, you can see it in **Settings >

156Codex Micro** and in the Codex Micro icon's sidebar tooltip.

157 

158## Add more layers

159 

160Codex uses layer 1. Use [Work Louder

161Input](https://worklouder.cc/micro-setup) to configure up to five more layers

162with shortcuts and actions for other apps.

163 

164## Troubleshoot Codex Micro

165 

166### Pair the keyboard again

167 

168Use the bottom-left touch control to start pairing again. The rear button

169controls power and doesn't start pairing.

170 

1711. Hold the bottom-left touch control for three seconds to enter communication

172 mode.

1732. Tap the control to choose Bluetooth channel 1, 2, or 3.

1743. Hold the control for three seconds on that channel. The channel light flashes

175 while pairing and turns solid when paired.

176 

177### Fix Input Monitoring on macOS

178 

179If **Settings > Codex Micro** shows that Input Monitoring isn't set up, select

180**Open System Settings**, then follow these steps:

181 

1821. Open **System Settings > Privacy & Security > Input Monitoring**.

1832. Turn on access for ChatGPT if it's already listed. If it's missing, drag

184 **ChatGPT** from Applications into the list, or select **Add (+)** and choose

185 **ChatGPT**.

1863. Quit and reopen ChatGPT, then confirm ChatGPT detects Codex Micro on layer 1.

187 

188For more about this macOS permission, see [Apple's Input Monitoring

189guide](https://support.apple.com/guide/mac-help/mchl4cedafb6/mac).

190 

191### Get more Work Louder help

192 

193For help with Bluetooth, cables, power, or resetting the keyboard, see

194the [Creator Micro 2 setup guide from Work Louder](https://worklouder.cc/micro-setup).

195For direct support, email [hello@worklouder.cc](mailto:hello@worklouder.cc).

196 

197## Get Codex Micro

198 

199You can buy Codex Micro through [OpenAI Supply

200Co](https://openai.com/supply/co-lab/work-louder/) while supplies last.

201 

202{/* vale Microsoft.We = NO */}

203{/* vale write-good.TooWordy = NO */}

204 

205We expect orders to begin shipping shortly after purchase.

206 

207{/* vale Microsoft.We = YES */}

208{/* vale write-good.TooWordy = YES */}

security/plugin.md +33 −21

Details

6in code you own or have authorization to assess before they reach production.6in code you own or have authorization to assess before they reach production.

7 7 

8This quickstart takes you through one recommended first run: an ordinary,8This quickstart takes you through one recommended first run: an ordinary,

9read-only scan of a local repository in the ChatGPT desktop app.9read-only scan of a local repository in Codex.

10 10 

11This page covers the plugin that runs in a local Codex task. To scan a11This page covers the plugin that runs in a local Codex task. To scan a

12 connected GitHub repository in Codex cloud, see [Codex Security cloud12 connected GitHub repository in Codex cloud, see [Codex Security cloud


14 14 

15## Install the plugin15## Install the plugin

16 16 

17Open the repository you want to assess in Codex in the ChatGPT desktop app, then

18install Codex Security:

19 17 

20<div className="not-prose my-6">18 

191. Open the repository you want to assess in Codex in the [ChatGPT desktop

20 app](https://chatgpt.com/download/).

212. Go to **Plugins** and search for **Codex Security**, or select the button

22 below:

23 

24 <div className="not-prose my-6">

21 <ButtonLink25 <ButtonLink

22 href="codex://plugins/install/codex-security?marketplace=openai-curated"26 href="codex://plugins/install/codex-security?marketplace=openai-curated"

23 color="primary"27 color="primary"


27 >31 >

28 Install the Codex Security plugin32 Install the Codex Security plugin

29 </ButtonLink>33 </ButtonLink>

30</div>34 </div>

35 

363. Start a new task in Codex for that repository (don't continue in a task that

37 was already open).

38 

39 

40 

41 

42 

31 43 

32After installation, start a new task in Codex for that repository. The app loads

33plugins when the task starts, so don't continue in a task that was already open.

34 44 

35## Run your first scan45## Run your first scan

36 46 


107 119 

108</WorkflowSteps>120</WorkflowSteps>

109 121 

122 

123 

124 

125 

126 

127 

110## What the scan creates128## What the scan creates

111 129 

130 

131 

112Every completed scan opens a findings workspace. Use it to review findings and132Every completed scan opens a findings workspace. Use it to review findings and

113coverage without inspecting raw artifacts. The scan also creates:133coverage without inspecting raw artifacts. The scan also creates the files

134below.

135 

136 

137 

138 

139 

140 

114 141 

115- `report.md`, a complete portable report for sharing or archiving.142- `report.md`, a complete portable report for sharing or archiving.

116- Structured scan data in `scan-manifest.json`, `findings.json`, and143- Structured scan data in `scan-manifest.json`, `findings.json`, and


132- [Export or track findings](https://learn.chatgpt.com/docs/security/plugin/export-findings) when you159- [Export or track findings](https://learn.chatgpt.com/docs/security/plugin/export-findings) when you

133 need JSON, CSV, SARIF, an approval-gated Linear, GitHub, or Jira issue, or a160 need JSON, CSV, SARIF, an approval-gated Linear, GitHub, or Jira issue, or a

134 private draft GitHub Security Advisory.161 private draft GitHub Security Advisory.

135 

136## Install from Codex CLI

137 

138To install the same plugin from Codex CLI, start Codex in the repository and

139open the plugin browser:

140 

141```text

142codex

143/plugins

144```

145 

146Search for **Codex Security**, select `Install plugin`, and start a new task.

147Then use the same first-scan prompt.

Details

53## Automate reviews in CI/CD53## Automate reviews in CI/CD

54 54 

55Run the same `$codex-security:security-diff-scan` skill from CI when the runner55Run the same `$codex-security:security-diff-scan` skill from CI when the runner

56can invoke the Codex CLI without interaction. The runner must already have56can invoke the Codex CLI without interaction. First install the CLI and plugin

57Codex Security installed in the `CODEX_HOME` used by `codex exec`. A fresh57without exposing the scan credential:

58runner doesn't have marketplace plugins installed by default, and

59`openai/codex-action` doesn't install the plugin.

60 58 

61Before running the scan:59```bash

60npm install --global @openai/codex

61codex plugin add codex-security@openai-curated

62```

63 

64Then expose an OpenAI API key from your CI secret store as

65`CODEX_SECURITY_API_KEY` only for the scan:

62 66 

631. Provision Codex Security in the runner's `CODEX_HOME`.67```bash

642. Check out the exact base and head revisions with their Git history.68CODEX_API_KEY="$CODEX_SECURITY_API_KEY" codex exec \

653. Set the runner's platform temporary directory, such as `TMPDIR`, to a69 --sandbox workspace-write \

66 writable artifact location. The diff-scan workflow reviews the checkout70 "Use \$codex-security:security-diff-scan to review changes from $BASE_REVISION to $HEAD_REVISION for security regressions. Do not modify the checkout."

67 without changing it, but it writes its sealed scan bundle and final report71```

68 outside the repository.

694. Start with advisory results. Review scan quality and runtime before making

70 the job a required check.

71 72 

72Then invoke the plugin explicitly:73The scan writes its output to

74`$TMPDIR/codex-security-scans/<repository>/<scan-id>/`:

75 

76| File | Contents |

77| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |

78| `findings.json` | Findings with stable identifiers, severity, confidence, source locations, and remediation. Use it to create pull-request comments or feed downstream tools. |

79| `scan-manifest.json` | Sealed scan receipt with the reviewed target, revisions, and artifact hashes. |

80| `coverage.json` | Reviewed and deferred surfaces, exclusions, and coverage completeness. |

81 

82The [`findings.json` schema](https://github.com/openai/plugins/blob/main/plugins/codex-security/schemas/findings.schema.json)

83defines the complete structure. Some key fields are:

84 

85| Field | Type | Description |

86| ------------------------- | ------ | ---------------------------------------------------------------------- |

87| `documentType` | String | Identifies the document as `codex-security.findings`. |

88| `schemaVersion` | String | Identifies the findings schema version. |

89| `scanId` | String | Identifies the scan that produced the findings. |

90| `findings` | Array | Contains zero or more finding objects. |

91| `findings[].findingId` | String | Stable finding identifier derived from the finding fingerprint. |

92| `findings[].occurrenceId` | String | Identifies this occurrence of the finding in a specific scan. |

93| `findings[].ruleId` | String | Identifies the vulnerability family. |

94| `findings[].identity` | Object | Contains the semantic anchor and optional sibling-instance identifier. |

95| `findings[].fingerprints` | Object | Contains the fingerprint algorithm and primary fingerprint. |

96| `findings[].title` | String | Provides the short finding title. |

97| `findings[].summary` | String | Summarizes the vulnerability and its impact. |

98| `findings[].severity` | Object | Contains the severity level and optional scoring details. |

99| `findings[].confidence` | Object | Contains the confidence level and rationale. |

100| `findings[].taxonomy` | Object | Contains the vulnerability category and CWE identifiers. |

101| `findings[].locations` | Array | Lists affected files, line numbers, and location roles. |

102| `findings[].remediation` | String | Describes the recommended fix. |

103| `findings[].provenance` | Object | Identifies the source of the finding. |

104 

105For example, this command prints one tab-separated row per finding:

73 106 

74```bash107```bash

75export CODEX_HOME=/path/to/provisioned-codex-home108jq -r '

76export TMPDIR=/path/to/writable/temp109 .findings[] |

110 [.findingId, .severity.level, .confidence.level, .locations[0].path, .locations[0].startLine, .title] |

111 @tsv

112' findings.json

113```

77 114 

78codex exec \115These examples assume a trusted Linux runner with Node.js and `npm`, Git, Python

1163, `jq`, and the provider's command-line tools. The `npm` global package prefix

117must be writable.

118 

119Here are examples of how to use Codex Security in common pipelines:

120 

121<Tabs

122 id="codex-security-ci-examples"

123 param="ci"

124 defaultTab="github"

125 tabs={[

126 { id: "github", label: "GitHub Actions" },

127 { id: "gitlab", label: "GitLab CI/CD" },

128 { id: "azure", label: "Azure Pipelines" },

129 { id: "jenkins", label: "Jenkins" },

130 ]}

131>

132 <div slot="github">

133 

134```yaml

135name: Codex Security review

136 

137on:

138 pull_request:

139 

140jobs:

141 security-review:

142 if: github.event.pull_request.head.repo.full_name == github.repository

143 runs-on: ubuntu-latest

144 permissions:

145 contents: read

146 pull-requests: write

147 steps:

148 - uses: actions/checkout@v5

149 with:

150 ref: ${{ github.event.pull_request.head.sha }}

151 fetch-depth: 0

152 persist-credentials: false

153 

154 - name: Install Codex Security

155 env:

156 CODEX_HOME: ${{ runner.temp }}/codex-home

157 run: |

158 npm install --global @openai/codex

159 codex plugin add codex-security@openai-curated

160 

161 - name: Review code changes

162 env:

163 CODEX_SECURITY_API_KEY: ${{ secrets.CODEX_SECURITY_API_KEY }}

164 CODEX_HOME: ${{ runner.temp }}/codex-home

165 TMPDIR: ${{ runner.temp }}/codex-security

166 BASE_SHA: ${{ github.event.pull_request.base.sha }}

167 HEAD_REVISION: ${{ github.event.pull_request.head.sha }}

168 run: |

169 BASE_REVISION="$(git merge-base "$BASE_SHA" "$HEAD_REVISION")"

170 CODEX_API_KEY="$CODEX_SECURITY_API_KEY" codex exec \

79 --sandbox workspace-write \171 --sandbox workspace-write \

80 --output-last-message "$TMPDIR/codex-security-review.md" \172 "Use \$codex-security:security-diff-scan to review changes from $BASE_REVISION to $HEAD_REVISION for security regressions. Do not modify the checkout."

81 'Use $codex-security:security-diff-scan to review changes from <base-revision> to <head-revision> for security regressions. Do not modify the checkout. Return the final report path, findings summary, reviewed surfaces, deferred coverage, and open questions.'173 

174 - name: Comment with findings

175 if: always()

176 env:

177 GH_TOKEN: ${{ github.token }}

178 PR_NUMBER: ${{ github.event.pull_request.number }}

179 run: |

180 findings="$(find "${{ runner.temp }}/codex-security/codex-security-scans" -name findings.json -print -quit 2>/dev/null || true)"

181 test -n "$findings" || exit 0

182 jq -r '

183 "## Codex Security findings",

184 "",

185 if (.findings | length) == 0 then "No findings reported."

186 else .findings[] | "- **\(.severity.level | ascii_upcase)**: \(.title) (`\(.locations[0].path):\(.locations[0].startLine)`)\n \(.summary)"

187 end

188 ' "$findings" | gh pr comment "$PR_NUMBER" --body-file -

189 

190 - uses: actions/upload-artifact@v4

191 if: always()

192 with:

193 name: codex-security-review

194 path: ${{ runner.temp }}/codex-security/codex-security-scans

82```195```

83 196 

84Archive the generated scan bundle and final report, then publish the Markdown197 </div>

85summary through your CI/CD system. If you use `openai/codex-action`, point its198 

86`codex-home` input at the same provisioned directory and pass the skill prompt199 <div slot="gitlab">

87above. The action can install and run the Codex CLI, but plugin provisioning is200 

88a separate prerequisite.201Create masked `CODEX_SECURITY_API_KEY` and `GITLAB_TOKEN` CI/CD variables. The

202GitLab token needs API access to create a merge-request note.

203 

204```yaml

205codex-security-review:

206 rules:

207 - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_SOURCE_PROJECT_ID == $CI_PROJECT_ID'

208 variables:

209 GIT_DEPTH: "0"

210 script:

211 - |

212 codex_security_api_key="$CODEX_SECURITY_API_KEY"

213 unset CODEX_SECURITY_API_KEY GITLAB_TOKEN

214 export CODEX_HOME="/tmp/codex-home-$CI_JOB_ID"

215 export TMPDIR="/tmp/codex-security-$CI_JOB_ID"

216 export BASE_REVISION="$CI_MERGE_REQUEST_DIFF_BASE_SHA"

217 export HEAD_REVISION="${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA:-$CI_COMMIT_SHA}"

218 npm install --global @openai/codex

219 codex plugin add codex-security@openai-curated

220 CODEX_API_KEY="$codex_security_api_key" codex exec \

221 --sandbox workspace-write \

222 "Use \$codex-security:security-diff-scan to review changes from $BASE_REVISION to $HEAD_REVISION for security regressions. Do not modify the checkout."

223 after_script:

224 - |

225 gitlab_token="$GITLAB_TOKEN"

226 unset CODEX_SECURITY_API_KEY GITLAB_TOKEN

227 scan_root="/tmp/codex-security-$CI_JOB_ID/codex-security-scans"

228 findings="$(find "$scan_root" -name findings.json -print -quit 2>/dev/null || true)"

229 if [ -n "$findings" ]; then

230 jq -r '

231 "## Codex Security findings",

232 "",

233 if (.findings | length) == 0 then "No findings reported."

234 else .findings[] | "- **\(.severity.level | ascii_upcase)**: \(.title) (`\(.locations[0].path):\(.locations[0].startLine)`)\n \(.summary)"

235 end

236 ' "$findings" > codex-security-comment.md

237 curl --fail --request POST \

238 --header "PRIVATE-TOKEN: $gitlab_token" \

239 --form "body=<codex-security-comment.md" \

240 "$CI_API_V4_URL/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes"

241 fi

242 if [ -d "$scan_root" ]; then

243 tar -czf codex-security-artifacts.tar.gz -C "$scan_root" .

244 fi

245 artifacts:

246 when: always

247 paths:

248 - codex-security-artifacts.tar.gz

249```

250 

251 </div>

252 

253 <div slot="azure">

254 

255```yaml

256trigger: none

257 

258pool:

259 vmImage: ubuntu-latest

260 

261steps:

262 - checkout: self

263 fetchDepth: 0

264 

265 - bash: |

266 set -euo pipefail

267 export CODEX_HOME="$AGENT_TEMPDIRECTORY/codex-home"

268 npm install --global @openai/codex

269 codex plugin add codex-security@openai-curated

270 displayName: Install Codex Security

271 

272 - bash: |

273 set -euo pipefail

274 export CODEX_HOME="$AGENT_TEMPDIRECTORY/codex-home"

275 export TMPDIR="$AGENT_TEMPDIRECTORY/codex-security"

276 export HEAD_REVISION="$SYSTEM_PULLREQUEST_SOURCECOMMITID"

277 export BASE_REVISION="$(git merge-base HEAD^1 "$HEAD_REVISION")"

278 CODEX_API_KEY="$CODEX_SECURITY_API_KEY" codex exec \

279 --sandbox workspace-write \

280 "Use \$codex-security:security-diff-scan to review changes from $BASE_REVISION to $HEAD_REVISION for security regressions. Do not modify the checkout."

281 displayName: Review code changes

282 condition: and(succeeded(), ne(variables['System.PullRequest.IsFork'], 'True'))

283 env:

284 CODEX_SECURITY_API_KEY: $(CODEX_SECURITY_API_KEY)

285 

286 - publish: $(Agent.TempDirectory)/codex-security/codex-security-scans

287 artifact: codex-security-review

288 condition: always()

289```

290 

291For Azure Repos, configure a **Build validation** branch policy to run the

292pipeline on pull requests.

293 

294 </div>

295 

296 <div slot="jenkins">

297 

298```groovy

299pipeline {

300 agent { label 'linux' }

301 stages {

302 stage('Codex Security review') {

303 when {

304 allOf {

305 changeRequest()

306 expression { !env.CHANGE_FORK?.trim() }

307 }

308 }

309 steps {

310 sh '''#!/usr/bin/env bash

311 set -euo pipefail

312 export CODEX_HOME="/tmp/codex-home-$BUILD_TAG"

313 export TMPDIR="/tmp/codex-security-$BUILD_TAG"

314 mkdir -p "$TMPDIR"

315 git fetch --no-tags origin "$CHANGE_TARGET"

316 target="$(git rev-parse FETCH_HEAD)"

317 git fetch --no-tags origin "$CHANGE_BRANCH"

318 git rev-parse FETCH_HEAD > "$TMPDIR/head"

319 git merge-base "$target" "$(cat "$TMPDIR/head")" > "$TMPDIR/base"

320 npm install --global @openai/codex

321 codex plugin add codex-security@openai-curated

322 '''

323 withCredentials([string(credentialsId: 'codex-security-api-key', variable: 'CODEX_SECURITY_API_KEY')]) {

324 sh '''#!/usr/bin/env bash

325 set +x

326 set -euo pipefail

327 export CODEX_HOME="/tmp/codex-home-$BUILD_TAG"

328 export TMPDIR="/tmp/codex-security-$BUILD_TAG"

329 export HEAD_REVISION="$(cat "$TMPDIR/head")"

330 export BASE_REVISION="$(cat "$TMPDIR/base")"

331 CODEX_API_KEY="$CODEX_SECURITY_API_KEY" codex exec \

332 --sandbox workspace-write \

333 "Use \$codex-security:security-diff-scan to review changes from $BASE_REVISION to $HEAD_REVISION for security regressions. Do not modify the checkout."

334 '''

335 }

336 }

337 post {

338 always {

339 sh '''#!/usr/bin/env bash

340 set -euo pipefail

341 scan_root="/tmp/codex-security-$BUILD_TAG/codex-security-scans"

342 if [ -d "$scan_root" ]; then

343 tar -czf codex-security-artifacts.tar.gz -C "$scan_root" .

344 fi

345 '''

346 archiveArtifacts artifacts: 'codex-security-artifacts.tar.gz', allowEmptyArchive: true

347 }

348 }

349 }

350 }

351}

352```

353 

354 </div>

355</Tabs>

356 

357The examples skip forked pull requests. Run credentialed jobs only from a

358protected pipeline definition and only for contributors trusted with the scan

359credential. Archive `codex-security-scans` to keep the structured findings,

360manifest, and coverage artifacts. Start with advisory results and review

361coverage and runtime before making the job a required check.

89 362 

90For API-key handling, sandbox controls, fork protections, and a GitHub Actions363For API-key handling and sandbox controls, see [Non-interactive

91workflow, see the [Codex GitHub Action guide](https://learn.chatgpt.com/docs/github-action).364mode](https://learn.chatgpt.com/docs/non-interactive-mode). If your organization permits the [Codex

365GitHub Action](https://learn.chatgpt.com/docs/github-action), it can install the CLI at runtime, but

366you must still install the plugin first and point the action's `codex-home`

367input at the same `CODEX_HOME`.

speed.md +7 −5

Details

10credit consumption.10credit consumption.

11 11 

12Fast mode increases supported model speed by 1.5x and consumes credits at a12Fast mode increases supported model speed by 1.5x and consumes credits at a

13higher rate than Standard mode. It currently supports GPT-5.5 and GPT-5.4,13higher rate than Standard mode. It currently supports GPT-5.6, GPT-5.5, and

14consuming credits at 2.5x the Standard rate for GPT-5.5 and 2x the Standard14GPT-5.4. GPT-5.6 and GPT-5.5 consume credits at 2.5x the Standard rate;

15rate for GPT-5.4.15GPT-5.4 consumes credits at 2x the Standard rate.

16 16 

17Use `/fast on`, `/fast off`, or `/fast status` in the CLI to change or inspect17Use `/fast on`, `/fast off`, or `/fast status` in the CLI to change or inspect

18the current setting. You can also persist the default with `service_tier =18the current setting. You can also persist the default with `service_tier =

19"fast"` plus `[features].fast_mode = true` in `config.toml`. Fast mode is19"fast"` plus `[features].fast_mode = true` in `config.toml`. Fast mode is

20available in the ChatGPT desktop app, Codex CLI, and IDE extension when you20available in the ChatGPT desktop app, Codex CLI, and IDE extension when you

21sign in with ChatGPT. With an API key, Codex uses standard API pricing instead21sign in with ChatGPT. Fast mode is a ChatGPT credit feature. With an API key,

22and you can't use Fast mode credits.22Codex uses API token pricing instead, and ChatGPT credit multipliers don't

23apply. API Priority processing has its own billing rate; for GPT-5.6, it costs

242x the Standard API token rate.

23 25 

24<VideoPlayer26<VideoPlayer

25 src="/videos/codex/fast-mode-demo.mp4"27 src="/videos/codex/fast-mode-demo.mp4"

Details

22 22 

23Then follow the [quickstart](https://learn.chatgpt.com/docs/quickstart?setup=app) to get started.23Then follow the [quickstart](https://learn.chatgpt.com/docs/quickstart?setup=app) to get started.

24 24 

25For enterprises, administrators can deploy the app with Microsoft Store app25For enterprise installation and update options, see

26distribution through enterprise management tools.26[Deploy the Windows app](https://learn.chatgpt.com/docs/enterprise/windows-deployment).

27 27 

28If you prefer a command-line install path, or need an alternative to opening28If you prefer a command-line install path, run:

29the Microsoft Store UI, run:

30 29 

31```powershell30```powershell

32winget install Codex -s msstore31winget install --id 9PLM9XGG6VKS -s msstore

33```32```

34 33 

35## Native sandbox34## Native sandbox